[Freeipa-users] ipa-replica-install hangs: starting certificate server instance
Martin Bašti
mbasti at redhat.com
Thu May 18 12:49:14 UTC 2017
It will create clone of the original CA, it will work as backup not a
separate CA.
I'm afraid it will result into the same behavior because it uses almost
the same code, but as I said before this issue is on dogtag side and not
always reproducible.
On 18.05.2017 14:44, Callum Guy wrote:
> Thanks for that Martin.
>
> The man page for ipa-ca-install suggests i could pass in my replica
> file to create a "CA-less" configuration. Is this what i want or is a
> CA-full appropriate? All I want to achieve is the additional
> resilience provided by a replica which can both authorise and sign
> certificates in the event of a loss of the master server. I certainly
> don't want an entirely separate CA to be installed - my anticipation
> is that my replica will be able to become an intermediate authority -
> is that the intended arrangement for a replica?
>
> Finally, do you hold out much hope that ipa-ca-install will work any
> better than --setup-ca flag I was attempting to get working for the
> replica install? If its the same code I would probably just end up
> with a half configured CA and have to rebuild my replica - something I
> would like to avoid repeating after the last couple of days!
>
> On Thu, May 18, 2017 at 1:28 PM Martin Bašti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
> ipa-ca-install will install on top of FreeIPA CA-less replica,
> nothing else, you really don't want to do it manually.
>
>
> On 18.05.2017 14:12, Callum Guy wrote:
>> Thanks Martin, really appreciate the additional information.
>>
>> Are you aware of a separate guide for installing DogTag/PKI on
>> top of FreeIPA - basically I am happy to install separately if it
>> doesn't compromise the FreeIPA server configuration, i'm not
>> clear on whether this is possible without a major time investment.
>>
>> On Thu, May 18, 2017 at 12:46 PM Martin Bašti <mbasti at redhat.com
>> <mailto:mbasti at redhat.com>> wrote:
>>
>>
>> Please note that commits in #6766 will not fix this issue,
>> the issue is on dogtag side, please see
>> https://pagure.io/dogtagpki/issue/2646
>>
>> Sorry for troubles
>>
>>
>> On 18.05.2017 12:19, Callum Guy wrote:
>>> Haha, looks like i'm going CA-less for a while on the
>>> replica. I don't see any immediate requirement for one so
>>> time to get on with my life!
>>>
>>> I'll post back if anything changes but I'm probably stuck
>>> waiting for the upgrade too..
>>>
>>> On Thu, May 18, 2017 at 11:01 AM Lachlan Musicman
>>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>>
>>> Sorry cobber. We only found 6766 today - we've been
>>> tackling it on and off for a couple of weeks :)
>>>
>>> ------
>>> "Mission Statement: To provide hope and inspiration for
>>> collective action, to build collective power, to achieve
>>> collective transformation, rooted in grief and rage but
>>> pointed towards vision and dreams."
>>>
>>> - Patrice Cullors, /Black Lives Matter founder/
>>>
>>> On 18 May 2017 at 19:53, Callum Guy
>>> <callum.guy at x-on.co.uk <mailto:callum.guy at x-on.co.uk>>
>>> wrote:
>>>
>>> Ah, thanks for that Lachlan - its always reassuring
>>> to hear that its not just me!
>>>
>>> As mentioned above I have it running without the CA
>>> so that's a good start. I am sure we will upgrade as
>>> well once 4.5 becomes stable and GA for CentOS. I'm
>>> not expecting that to happen quickly so will have to
>>> work with what we have for now.
>>>
>>> Do you happen to know if there is any way to build
>>> the CA component separately?
>>>
>>> On Thu, May 18, 2017 at 10:38 AM Lachlan Musicman
>>> <datakid at gmail.com <mailto:datakid at gmail.com>> wrote:
>>>
>>> https://pagure.io/freeipa/issue/6766
>>>
>>> 4.5.1 - I stand corrected. Can add more tomorrow.
>>>
>>> ------
>>> "Mission Statement: To provide hope and
>>> inspiration for collective action, to build
>>> collective power, to achieve collective
>>> transformation, rooted in grief and rage but
>>> pointed towards vision and dreams."
>>>
>>> - Patrice Cullors, /Black Lives Matter founder/
>>>
>>> On 18 May 2017 at 19:34, Lachlan Musicman
>>> <datakid at gmail.com <mailto:datakid at gmail.com>>
>>> wrote:
>>>
>>> We are seeing this. I'm not at work, but I
>>> think it's bug report 6766.
>>>
>>> Patch has already been committed (bot by
>>> us), we're waiting for IPA 4.5.
>>>
>>> cheers
>>> L.
>>>
>>> ------
>>> "Mission Statement: To provide hope and
>>> inspiration for collective action, to build
>>> collective power, to achieve collective
>>> transformation, rooted in grief and rage but
>>> pointed towards vision and dreams."
>>>
>>> - Patrice Cullors, /Black Lives Matter founder/
>>>
>>> On 18 May 2017 at 18:57, Callum Guy
>>> <callum.guy at x-on.co.uk
>>> <mailto:callum.guy at x-on.co.uk>> wrote:
>>>
>>> Hi All,
>>>
>>> I am currently stuck trying to setup the
>>> first replica of our master IPA server.
>>> I have tried a number of different
>>> approaches including escalating from a
>>> client and nothing is working for me. I
>>> perform a full OS reset each time I get
>>> stuck.
>>>
>>> I'm running CentOS 7.2 with the FreeIPA
>>> 4.4.0 (rpm -q reports this version
>>> however having performed
>>> ipa-server-upgrade - does this mean i'm
>>> on 4.4.4?).
>>>
>>> The command is shown below - note that i
>>> am skipping the conn check as my
>>> platforms security settings do not allow
>>> the SSH session to be established back
>>> on the master, all ports should be
>>> available to the application however.
>>>
>>> [root at ipa2 ~]# ipa-replica-install
>>> --ip-address=172.24.0.101 --setup-ca
>>> --setup-dns --skip-conncheck
>>> --no-forwarders SITE.net.gpg
>>>
>>> Directory Manager (existing master)
>>> password:
>>>
>>> ipa : ERROR Could not resolve
>>> hostname ipa2.SITE.net
>>> <http://ipa2.SITE.net> usis check
>>> queries IPA DNS directly and ignores
>>> /etc/hosts.)
>>> Continue? [no]: yes
>>> Configuring NTP daemon (ntpd)
>>> [1/4]: stopping ntpd
>>> [2/4]: writing configuration
>>> [3/4]: configuring ntpd to start on boot
>>> [4/4]: starting ntpd
>>> Done configuring NTP daemon (ntpd).
>>> Configuring directory server (dirsrv).
>>> Estimated time: 1 minute
>>> [1/42]: creating directory server user
>>> [2/42]: creating directory server instance
>>> [3/42]: updating configuration in dse.ldif
>>> [4/42]: restarting directory server
>>> [5/42]: adding default schema
>>> [6/42]: enabling memberof plugin
>>> [7/42]: enabling winsync plugin
>>> [8/42]: configuring replication
>>> version plugin
>>> [9/42]: enabling IPA enrollment plugin
>>> [10/42]: enabling ldapi
>>> [11/42]: configuring uniqueness plugin
>>> [12/42]: configuring uuid plugin
>>> [13/42]: configuring modrdn plugin
>>> [14/42]: configuring DNS plugin
>>> [15/42]: enabling entryUSN plugin
>>> [16/42]: configuring lockout plugin
>>> [17/42]: configuring topology plugin
>>> [18/42]: creating indices
>>> [19/42]: enabling referential integrity
>>> plugin
>>> [20/42]: configuring ssl for ds instance
>>> [21/42]: configuring certmap.conf
>>> [22/42]: configure autobind for root
>>> [23/42]: configure new location for
>>> managed entries
>>> [24/42]: configure dirsrv ccache
>>> [25/42]: enabling SASL mapping fallback
>>> [26/42]: restarting directory server
>>> [27/42]: setting up initial replication
>>> Starting replication, please wait until
>>> this has completed.
>>> Update in progress, 4 seconds elapsed
>>> Update succeeded
>>>
>>> [28/42]: adding sasl mappings to the
>>> directory
>>> [29/42]: updating schema
>>> [30/42]: setting Auto Member configuration
>>> [31/42]: enabling S4U2Proxy delegation
>>> [32/42]: importing CA certificates from LDAP
>>> [33/42]: initializing group membership
>>> [34/42]: adding master entry
>>> [35/42]: initializing domain level
>>> [36/42]: configuring Posix uid/gid
>>> generation
>>> [37/42]: adding replication acis
>>> [38/42]: enabling compatibility plugin
>>> [39/42]: activating sidgen plugin
>>> [40/42]: activating extdom plugin
>>> [41/42]: tuning directory server
>>> [42/42]: configuring directory to start
>>> on boot
>>> Done configuring directory server (dirsrv).
>>> Configuring certificate server
>>> (pki-tomcatd). Estimated time: 3 minutes
>>> 30 seconds
>>> [1/27]: creating certificate server user
>>> [2/27]: configuring certificate server
>>> instance
>>> [3/27]: stopping certificate server
>>> instance to update CS.cfg
>>> [4/27]: backing up CS.cfg
>>> [5/27]: disabling nonces
>>> [6/27]: set up CRL publishing
>>> [7/27]: enable PKIX certificate path
>>> discovery and validation
>>> [8/27]: starting certificate server
>>> instance
>>>
>>> And here is stays and refuses to move
>>> on. The ipareplica-install.log log reports:
>>> 2017-05-18T08:40:07Z DEBUG
>>> wait_for_open_ports: localhost [8080,
>>> 8443] timeout 300
>>> 2017-05-18T08:40:09Z DEBUG Waiting until
>>> the CA is running
>>> 2017-05-18T08:40:09Z DEBUG request POST
>>> http://ipa2.SITE.net:8080/ca/admin/ca/getStatus
>>> 2017-05-18T08:40:09Z DEBUG request body ''
>>>
>>> I have tried and that port is indeed
>>> inaccessible but I can't establish a way
>>> to progress this issue from any of the
>>> the other log files. Also I have seen in
>>> the 4.4.4 release notes that IPv6 being
>>> disabled on the master can cause issues,
>>> re-enabling (at least in /etc/hosts) did
>>> not seem to help.
>>>
>>> If anyone is able to offer ideas that
>>> would be very much appreciated. I am
>>> tempted to remove the --setup-ca option
>>> to see if this helps.
>>>
>>> Thanks,
>>>
>>> Callum
>>>
>>>
>>>
>>> *^0333 332 0000 | www.x-on.co.uk
>>> <http://www.x-on.co.uk> |
>>> _**_^<https://www.linkedin.com/company/x-on>
>>> <https://www.facebook.com/XonTel>
>>> <https://twitter.com/xonuk> *
>>> X-on is a trading name of Storacall
>>> Technology Ltd a limited company
>>> registered in England and Wales.
>>> Registered Office : Avaland House, 110
>>> London Road, Apsley, Hemel Hempstead,
>>> Herts, HP3 9SD. Company Registration No.
>>> 2578478.
>>> The information in this e-mail is
>>> confidential and for use by the
>>> addressee(s) only. If you are not the
>>> intended recipient, please notify X-on
>>> immediately on +44(0)333 332 0000
>>> <tel:+44%20333%20332%200000> and delete the
>>> message from your computer. If you are
>>> not a named addressee you must not use,
>>> disclose, disseminate, distribute, copy,
>>> print or reply to this email. Views or
>>> opinions expressed by an individual
>>> within this email may not necessarily
>>> reflect the views of X-on or its
>>> associated companies. Although X-on
>>> routinely screens for viruses,
>>> addressees should scan this email and
>>> any attachments
>>> for viruses. X-on makes no
>>> representation or warranty as to the
>>> absence of viruses in this email or any
>>> attachments.
>>>
>>>
>>> --
>>> Manage your subscription for the
>>> Freeipa-users mailing list:
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Go to http://freeipa.org for more info
>>> on the project
>>>
>>>
>>>
>>>
>>>
>>> *^0333 332 0000 | www.x-on.co.uk
>>> <http://www.x-on.co.uk> |
>>> _**_^<https://www.linkedin.com/company/x-on>
>>> <https://www.facebook.com/XonTel>
>>> <https://twitter.com/xonuk> *
>>> X-on is a trading name of Storacall Technology Ltd a
>>> limited company registered in England and Wales.
>>> Registered Office : Avaland House, 110 London Road,
>>> Apsley, Hemel Hempstead, Herts, HP3 9SD. Company
>>> Registration No. 2578478.
>>> The information in this e-mail is confidential and
>>> for use by the addressee(s) only. If you are not the
>>> intended recipient, please notify X-on immediately
>>> on +44(0)333 332 0000 <tel:+44%20333%20332%200000>
>>> and delete the
>>> message from your computer. If you are not a named
>>> addressee you must not use, disclose, disseminate,
>>> distribute, copy, print or reply to this email.
>>> Views or opinions expressed by an individual
>>> within this email may not necessarily reflect the
>>> views of X-on or its associated companies. Although
>>> X-on routinely screens for viruses, addressees
>>> should scan this email and any attachments
>>> for viruses. X-on makes no representation or
>>> warranty as to the absence of viruses in this email
>>> or any attachments.
>>>
>>>
>>>
>>>
>>> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
>>> _**_^<https://www.linkedin.com/company/x-on>
>>> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
>>> X-on is a trading name of Storacall Technology Ltd a limited
>>> company registered in England and Wales.
>>> Registered Office : Avaland House, 110 London Road, Apsley,
>>> Hemel Hempstead, Herts, HP3 9SD. Company Registration No.
>>> 2578478.
>>> The information in this e-mail is confidential and for use
>>> by the addressee(s) only. If you are not the intended
>>> recipient, please notify X-on immediately on +44(0)333 332
>>> 0000 <tel:+44%20333%20332%200000> and delete the
>>> message from your computer. If you are not a named addressee
>>> you must not use, disclose, disseminate, distribute, copy,
>>> print or reply to this email. Views or opinions expressed by
>>> an individual
>>> within this email may not necessarily reflect the views of
>>> X-on or its associated companies. Although X-on routinely
>>> screens for viruses, addressees should scan this email and
>>> any attachments
>>> for viruses. X-on makes no representation or warranty as to
>>> the absence of viruses in this email or any attachments.
>>>
>>>
>>>
>>
>> --
>> Martin Bašti
>> Software Engineer
>> Red Hat Czech
>>
>>
>>
>> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
>> _**_^<https://www.linkedin.com/company/x-on>
>> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
>> X-on is a trading name of Storacall Technology Ltd a limited
>> company registered in England and Wales.
>> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
>> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
>> The information in this e-mail is confidential and for use by the
>> addressee(s) only. If you are not the intended recipient, please
>> notify X-on immediately on +44(0)333 332 0000
>> <tel:+44%20333%20332%200000> and delete the
>> message from your computer. If you are not a named addressee you
>> must not use, disclose, disseminate, distribute, copy, print or
>> reply to this email. Views or opinions expressed by an individual
>> within this email may not necessarily reflect the views of X-on
>> or its associated companies. Although X-on routinely screens for
>> viruses, addressees should scan this email and any attachments
>> for viruses. X-on makes no representation or warranty as to the
>> absence of viruses in this email or any attachments.
>>
>
> --
> Martin Bašti
> Software Engineer
> Red Hat Czech
>
>
>
> *^0333 332 0000 | www.x-on.co.uk <http://www.x-on.co.uk> |
> _**_^<https://www.linkedin.com/company/x-on>
> <https://www.facebook.com/XonTel> <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please
> notify X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must
> not use, disclose, disseminate, distribute, copy, print or reply to
> this email. Views or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the
> absence of viruses in this email or any attachments.
>
--
Martin Bašti
Software Engineer
Red Hat Czech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20170518/696370a6/attachment.htm>
More information about the Freeipa-users
mailing list